Tag Info

If Bob does NOT care to check signatures (as in the question), Eve can send ANY message she wants to Bob pretending to be Alice, including but not limited to messages Eve got from Alice; all Eve needs is Bob's public key (which, as the name implies, is assumed public knowledge thus known to Eve) and straight use of PGP.
Therefore the right question is: Can ...

In addition to the performance problems poncho already mentioned when using RSA signatures without hashing I just want to add on the security warning of poncho:
Reordering
If you have a message $m>N$ with $N$ being the RSA modulus, then you have to perform at least 2 RSA signatures as $m$ does not longer fit into $Z_N$. Let us assume that it requires ...

Well, one reason to hash the data before signing it is because RSA can handle only so much data; we might want to sign messages longer than that.
For example, suppose we are using a 2k RSA key; that means that the RSA operation can handle messages up to 2047 bits; or 255 bytes. We often want to sign messages longer than 255 bytes. By hashing the message ...

If we note $|m|$ the number of bits in the bytestring coding the message $m$, the first padding considered is $m\mapsto \tilde m=257\cdot2^{|m|}+m$, and the signature is $m\mapsto\tilde S(m)=S(\tilde m)=\tilde m^d\bmod N$, where $S$ is the textbook/naked RSA signing $m\mapsto m^d\bmod N$. Notice that for any $m$ small enough that $m^2$ can be signed, we can ...

If the message is random each additional signature halves the security level. If the message is chosen by the attacker, two signatures (of messages where each bit differs) are enough for a complete break.
A security level of about 64 bits can be broken by a determined attacker, and a level of 32 bits can be trivially broken on a single home computer.
So if ...

For the first part of your question: Yes, if Mallory manages to publish is own public key under Alice's name, then there is really nothing to stop him.
This problem is addressed with public key infrastuctures and public key certificates.
That is, for Bob to believe that the public key is Alice's key, Mallory would need to have a trusted third party attest, ...

The attack is even more simple with RSA than with symmetric keys, because the asymmetric encryption key is assumed to be public.
Let me tell you a story involving Alice, Bob and Mallory :). Alice wants to send a message to Bob using RSA.
Alice encrypts the message using Bob's public key and sends it
Mallory performs a Man-In-The-Middle attack, and ...

If you don't want to store the anti-CSRF tokens on the server, for most purposes it is sufficient to simply store the token as an HTTP cookie on the client. The OWASP wiki calls this technique "Double Submit Cookies".
The reason this works is that, in the standard CSRF attack scenarios, the attacker cannot directly read or modify the user's cookies. ...

As correctly pointed out in a comment, the authenticated encryption model assumes that
the attacker knows the algorithm;
the attacker can query the encryption oracle with any plaintext $P$ (and a unique nonce $N$) and get MAC-then-Encrypt ciphertext $C$;
the attacker can query the decryption oracle with any string $C$ pretending to be a ciphertext.
No ...

Given a set of (unhashed) Lamport signatures using the same key, an attacker can trivially forge a signature for any message whose $k$-th bit, for each $k$, is equal to the $k$-th bit of at least one of the signed messages.
For example, let's say I know the Lamport signatures for the following 16-bit messages using the same key:
$$
m_1 = 0001111101110001 ...

Considering the padding as an addition, padded message passed to sign is $m\cdot 2^{16}+0101$, $0101$ in hexadecimal, assuming padding is done on the lower bytes (for higher bytes the logic is just the same). Being $e$ the private exponent, and $m^2$ computed in the size of $m$,
$(m\cdot 2^{16}+0101)^e \pmod m$ is very different from $(m^2\cdot ...

I assume that the deadline for the homework is passed, so I will provide an answer:
Let us assume that we have the public key $y=g^x \pmod p$ and the private key to be $x$.
Computing an ElGamal signature for a message $m \in Z_p^*$ amounts to:
choosing $k\in Z_p^*$
$r\equiv g^k \pmod p$
$s\equiv (m-xk)k^{-1} \pmod{p-1}$ which is equivalent to $m\equiv ...

What do you mean by forge? If you are asking about (the common) existential forgery, then two message, signature pairs are enough, given that the messages differ in at least two bits.
As an example consider that you have the signatures for $m_1 = 1111$ and $m_2 = 1100$.
Considering the preimages you now have, you can forge signatures for $m_3=1101$ and ...